Question

+269：[critical]潜在问题：drupal_set_message http://api.drupal.org/api/function/drupal_set_message/()只接受过滤文本，确保t中的$ variables的所有！占位符 http://api.drupal.org/api/function/t/()使用完全消毒 check_plain http://api.drupal.org/api/function/check_plain/()， filter_xss http://api.drupal.org/api/function/filter_xss/()或类似。

与此代码相关：

      drupal_set_message(t('Batch complete!  View/Download !results', array(
        '!results' => filter_xss(l(t('simple results'), file_create_url($filename))),
      )), 'info');

出了什么问题？

Answer 1

您使用的方法是Dynamic or static links in translatable strings的“请勿做这些事情”部分。您需要将其更改为批准的方法之一。供参考：

<?php
  // DO NOT DO THESE THINGS
  $BAD_EXTERNAL_LINK = t('Look at Drupal documentation at !handbook.', array('!handbook' => '<a href="http://drupal.org/handbooks">'. t('the Drupal Handbooks') .'</a>'));
  $ANOTHER_BAD_EXTERNAL_LINK = t('Look at Drupal documentation at <a href="http://drupal.org/handbooks">the Drupal Handbooks</a>.');
  $BAD_INTERNAL_LINK = t('To get an overview of your administration options, go to !administer in the main menu.', array('!administer' => l(t('the Administer screen'), 'admin'));

  // Do this instead.
  $external_link = t('Look at Drupal documentation at <a href="@drupal-handbook">the Drupal Handbooks</a>.', array('@drupal-handbook' => 'http://drupal.org/handbooks'));
  $internal_link = t('To get an overview of your administration options, go to <a href="@administer-page">the Administer screen</a> in the main menu.', array('@administer-page' => url('admin')));
?>

我怎么应该使用filter_xss？即使我正在使用它，编码器给了我一个问题

1 个答案: